Commit 06674679 authored by Eric Paris's avatar Eric Paris Committed by James Morris

Currently SELinux jumps through some ugly hoops to not audit a capbility

check when determining if a process has additional powers to override
memory limits or when trying to read/write illegal file labels.  Use
the new noaudit call instead.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent a2f2945a
...@@ -1979,16 +1979,8 @@ static int selinux_syslog(int type) ...@@ -1979,16 +1979,8 @@ static int selinux_syslog(int type)
static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
{ {
int rc, cap_sys_admin = 0; int rc, cap_sys_admin = 0;
struct task_security_struct *tsec = current->security;
rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
if (rc == 0)
rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
SECCLASS_CAPABILITY,
CAP_TO_MASK(CAP_SYS_ADMIN),
0,
NULL);
rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
if (rc == 0) if (rc == 0)
cap_sys_admin = 1; cap_sys_admin = 1;
...@@ -2820,7 +2812,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name ...@@ -2820,7 +2812,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
u32 size; u32 size;
int error; int error;
char *context = NULL; char *context = NULL;
struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec = inode->i_security; struct inode_security_struct *isec = inode->i_security;
if (strcmp(name, XATTR_SELINUX_SUFFIX)) if (strcmp(name, XATTR_SELINUX_SUFFIX))
...@@ -2835,13 +2826,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name ...@@ -2835,13 +2826,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
* and lack of permission just means that we fall back to the * and lack of permission just means that we fall back to the
* in-core context value, not a denial. * in-core context value, not a denial.
*/ */
error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
if (!error)
error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
SECCLASS_CAPABILITY2,
CAPABILITY2__MAC_ADMIN,
0,
NULL);
if (!error) if (!error)
error = security_sid_to_context_force(isec->sid, &context, error = security_sid_to_context_force(isec->sid, &context,
&size); &size);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment